1CO. 


information Commissioners Office 


ICO consultation on the draft updated data sharing 
code of practice 


Data sharing brings important benefits to organisations and individuals, 
making our lives easier and helping to deliver efficient services. 


It is important, however, that organisations which share personal data 
have high data protection standards, sharing data in ways that are fair, 
transparent and accountable. We also want organisations to be confident 
when dealing with data sharing matters, so individuals can be confident 
their data has been shared securely and responsibly. 


As required by the Data Protection Act 2018, we are working on updating 
our data sharing code of practice, which was published in 2011. We are 
now seeking your views on the draft updated code. 


The draft updated code explains and advises on changes to data 
protection legislation where these changes are relevant to data sharing. It 
addresses many aspects of the new legislation including transparency, 
lawful bases for processing, the new accountability principle and the 
requirement to record processing activities. 


The draft updated code continues to provide practical guidance in relation 
to data sharing and promotes good practice in the sharing of personal 
data. It also seeks to allay common concerns around data sharing. 


As well as legislative changes, the code deals with technical and other 
developments that have had an impact on data sharing since the 
publication of the last code in 2011. 


Before drafting the code, the Information Commissioner launched a call 
for views in August 2018. You can view a summary of the responses and 
some of the individual responses here. 


If you wish to make any comments not covered by the questions in the 
Survey, or you have any general queries about the consultation, please 


email us at datasharingcode@ico.org.uk. 


Please send us your responses by Monday 9 September 2019. 


Privacy Statement 


For this consultation, we will publish all responses except for those where 
the respondent indicates that they are an individual acting in a private 
Capacity (e.g. a member of the public). All responses from organisations 
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and individuals responding in a professional capacity will be published. We 
will remove email addresses and telephone numbers from these 
responses; but apart from this, we will publish them in full. 


For more information about what we do with personal data please see our 
privacy notice. 


Questions 


Note: when commenting, please bear in mind that, on the whole, the 
code does not duplicate the content of existing guidance on particular 
data protection issues, but instead encourages the reader to refer to the 
most up to date guidance on the ICO website. 


Qi Does the updated code adequately explain and advise on the new 
aspects of data protection legislation which are relevant to data 
sharing? 


[| Yes 


K No 


Q2 If not, please specify where improvements could be made. 


In our view most of the aspects of data protection legislation which are 
relevant to data sharing are well explained in the updated code, and we 
welcome the approach of providing in-depth guidance which is written in 
an approachable and easy-to-read fashion. 


However, we do have concerns that the updated code still does not 
adequately deal with the use of data sharing agreements. Please see 
our responses to Questions 6 and 8. 


Q3 Does the draft code cover the right issues about data sharing? 
Yes 


[| No 
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Q4_—siIf no, what other issues would you like to be covered in it? 


Q5 Does the draft code contain the right level of detail? 
L] Yes 


K No 


Q6 If no, in what areas should there be more detail within the draft 
code? 


In our view there is insufficient clarity in the code as to which 
requirements are considered to be “best practice”, and which are 
compulsory requirements in all circumstances. We appreciate that the 
code is not intended to be binding, but given the indication that failure 
to comply with the code may create difficulty in demonstrating 


compliant data sharing, more detail is needed as to which areas the ICO 
considers to be necessary in all cases, aS opposed to those areas which 

may apply depending on the circumstances. This particularly applies in 

respect of the section on data sharing agreements; see our response to 
Question 10 for further comments. 


Q7 Has the draft code sufficiently addressed new areas or 
developments in data protection that are having an impact on your 
organisation's data sharing practices? 


[| Yes 


K No 


Q8__siIf no, please specify what areas are not being addressed, or not 
being addressed in enough detail 


1CO. 


information Commissioner's Office 


We would welcome further guidance as to the requirements for joint 
controllers pursuant to Article 26 GDPR. In our view the requirements 
of Article 26 themselves are very brief and “broad brush”, and we had 
hoped that the expectations of the ICO in this regard would be detailed 
in the new code. However, there seem to be only minimal references to 
joint controllers (6 references in total), and these predominantly restate 
the contents of Article 26. 


We would like to see further guidance as to what arrangements are 
expected in respect of joint controllers; for example, would it be 
sufficient to comply with Article 26 if joint controllers simply agree that 
they will each be responsible for complying with their own obligations 
under GDPR/DPA? In such a case, each controller would be responsible 
for compliance with the data subject requests they each receive. 
Alternatively, does Article 26 require that a mechanism is put in place 
for the parties to produce a joint response to data subject requests? 


Q9 Does the draft code provide enough clarity on good practice in data 
sharing? 


[|] Yes 


K No 


Q10 If no, please indicate the section(s) of the draft code which could be 
improved, and what can be done to make the section(s) clearer. 


We would like to provide feedback relating in particular to the “Data 
sharing agreements” section, and the associated scenarios in Annex D. 


We feel that there is a significant degree of ambiguity in this section as 
to what the expectations would be in the case of the common scenarios 
involving data sharing between 2 commercial organisations, where data 
is being disclosed by one controller to another, with no need to 
contemplate third parties being involved. This raises three questions for 
us: 


1. ARE THERE SITUATIONS WHERE A DATA SHARING AGREEMENT IS NOT REQUIRED 
AT ALL? 


The wording in the third bullet point on page 48 of the draft code 
suggests that there may be circumstances where this is the case 
(“... your data sharing agreement, where you have one”). We can 
envisage situations in a commercial setting where personal data is 
transferred, for example between a supplier and a customer, 
which is of such low sensitivity (for example the contact details of 
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those responsible for managing the contract) that contractual 
arrangements to cover that sharing might be considered 
unnecessary. Some guidance as to when contractual provisions 
are expected would be welcome, particularly as there is no 
requirement in the legislation for data sharing agreements beyond 
the Article 26 requirements. 


. WHERE A DATA SHARING AGREEMENT IS REQUIRED, WHICH OF THE ITEMS 
LISTED UNDER “WHAT SHOULD WE INCLUDE IN A DATA SHARING AGREEMENT?” 
OUGHT TO BE INCLUDED IN ALL AGREEMENTS, AND WHICH ONLY APPLY TO MORE 
COMPLEX ARRANGEMENTS ? 


In our view, there is a distinction between agreements where the 
data sharing is the main purpose of the agreement, and those 
where the data sharing is incidental to an agreement that is being 
put in place for another purpose (typically for the provision of 
services by a supplier). 


In the latter case, there are a number of the items listed in the 
guidance as “should explain / identify / deal with” which would not 
be appropriate for a more straightforward customer / supplier 
arrangement. For example: 


e “should also contain procedures for including additional 
organisations in the data sharing arrangement”, 


“are recording data in the same way”, 


èe “have common rules for the retention and deletion of shared 
data items” etc. 


In our view, these types of requirements are likely to be more 
relevant to a multi-party-type arrangement of a kind entered into 
by public sector agencies (such as police, social services, 
education, and organisations dealing with drug abuse or domestic 
violence), and we would welcome some more clarity in the 
guidance as to the circumstances in which the various 
requirements should be considered. 


3. WHAT LEGAL REQUIREMENTS DOES THIS SECTION SEEK TO SATISFY? 


As noted above, there is no requirement in the legislation for data 
sharing agreements beyond the Article 26 requirements. In our 
view it would be helpful for those considering the application of 
the code to their activities to understand which legal requirements 
the items relating to data sharing agreements seek to comply 
with, particularly since the guidance appears to apply a level of 
detail at least equivalent to that required by Article 28 in respect 
of data processor agreements. 
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Following on from the above, the case studies in Annex D that relate to 
data sharing agreements are similarly aimed at complex, multi-party- 
type arrangements (one referring to an information sharing framework 
amongst various healthcare partners, and another to sharing 
information between a variety of public sector bodies for a combined 
approach to supporting young people). We would welcome the addition 
of examples relating to more “mainstream commercial” data sharing 


arrangements and the expectations the ICO has in relation to those. By 
way of example, such an arrangement arises when a business shares 
recipient information with a courier company to deliver packages on its 
behalf (i.e. as described in paragraph 39 of the ICO guidance document 
“Data controllers and data processors: what the difference is and what 
the governance implications are”). 


Qiil Does the draft code strike the right balance between recognising 
the benefits of sharing data and the need to protect it? 


Yes 


O No 


Q12 If no, in what way does the draft code fail to strike this balance? 


Q13 Does the draft code cover case studies or data sharing scenarios 
relevant to your organisation? 


[| Yes 


K No 


Q14 Please provide any further comments or suggestions you may have 
about the draft code. 


1CO. 


information Commissioners Office 


Q15 To what extent do you agree that the draft code is clear and easy 
o understand? 


cT 


Strongly agree 


L 

Agree 
O Neither agree nor disagree 
L Disagree 

O Strongly disagree 

Q16 Are you answering as: 


L] An individual acting in a private capacity (e.g. someone 
providing their views as a member of the public of the public) 


L] An individual acting in a professional capacity 
On behalf of an organisation 
O Other 


Please specify the name of your organisation: 


Freeths LLP 


Thank you for taking the time to share your views and experience. 


